analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

trojan3.exe

Full analysis: https://app.any.run/tasks/4614c6c5-a706-4ee5-88b3-5f14dd6a28c4
Verdict: Malicious activity
Threats:

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Analysis date: January 23, 2019, 01:13:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
miner
loader
xmrig
trojan
stealer
arkei
vidar
hiloti
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A0D69C1B3F868D7030231D564E059FB1

SHA1:

9090167034C7CE3D61F6E73401C48CCD78F85351

SHA256:

FBE0A158C362405D480D40676E5BDA3A9B97047F61661B9F72FF7AFA30F1697D

SSDEEP:

49152:PoMUcFI5eqRRDVsv4HHB150jqVg7HkpHMse9aglouPDAIRdPsP+fL9LQhq6/wvo/:PTUaI9OMzejqikpYbAI7XLyhq6IvorA+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • DOC001.exe (PID: 2544)
      • DOC001.exe (PID: 3952)
    • Application was dropped or rewritten from another process

      • java.exe (PID: 2276)
      • jar2.exe (PID: 2876)
      • java1.exe (PID: 3440)
      • ns83CC.tmp (PID: 3384)
      • ns81E5.tmp (PID: 2660)
      • ns82D1.tmp (PID: 3924)
      • DOC001.exe (PID: 3952)
      • dhelper.exe (PID: 2480)
      • java.exe (PID: 3728)
      • java12.exe (PID: 3396)
      • jar2.exe (PID: 2864)
      • ns933C.tmp (PID: 3816)
      • ns9251.tmp (PID: 3324)
      • ns9418.tmp (PID: 3484)
      • lsm.exe (PID: 3536)
      • dhelper.exe (PID: 2280)
    • Loads dropped or rewritten executable

      • DOC001.exe (PID: 2544)
      • jar2.exe (PID: 2876)
      • DOC001.exe (PID: 3952)
      • jar2.exe (PID: 2864)
    • Writes to a start menu file

      • DOC001.exe (PID: 2544)
      • DOC001.exe (PID: 3952)
    • Downloads executable files from the Internet

      • DOC001.exe (PID: 2544)
      • DOC001.exe (PID: 3952)
    • Changes the login/logoff helper path in the registry

      • jar2.exe (PID: 2876)
      • jar2.exe (PID: 2864)
    • Uses Task Scheduler to run other applications

      • java12.exe (PID: 3396)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2956)
    • Connects to CnC server

      • dhelper.exe (PID: 2480)
      • dhelper.exe (PID: 2280)
    • ARKEI was detected

      • java12.exe (PID: 3396)
    • HILOTI was detected

      • dhelper.exe (PID: 2480)
      • dhelper.exe (PID: 2280)
  • SUSPICIOUS

    • Creates files in the user directory

      • trojan3.exe (PID: 3040)
      • DOC001.exe (PID: 2544)
      • java1.exe (PID: 3440)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 2720)
      • DOC001.exe (PID: 3952)
    • Starts itself from another location

      • trojan3.exe (PID: 3040)
      • java1.exe (PID: 3440)
    • Executable content was dropped or overwritten

      • trojan3.exe (PID: 3040)
      • DOC001.exe (PID: 2544)
      • java.exe (PID: 2276)
      • java1.exe (PID: 3440)
      • jar2.exe (PID: 2876)
      • cmd.exe (PID: 2720)
      • java12.exe (PID: 3396)
      • DOC001.exe (PID: 3952)
      • jar2.exe (PID: 2864)
    • Dropped object may contain URLs of mainers pools

      • DOC001.exe (PID: 2544)
      • DOC001.exe (PID: 3952)
    • Starts application with an unusual extension

      • jar2.exe (PID: 2876)
      • jar2.exe (PID: 2864)
    • Starts CMD.EXE for commands execution

      • ns81E5.tmp (PID: 2660)
      • ns82D1.tmp (PID: 3924)
      • ns83CC.tmp (PID: 3384)
      • ns9251.tmp (PID: 3324)
      • java12.exe (PID: 3396)
      • ns933C.tmp (PID: 3816)
      • ns9418.tmp (PID: 3484)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4092)
      • cmd.exe (PID: 2296)
    • Creates files in the program directory

      • java12.exe (PID: 3396)
    • Executes application which crashes

      • cmd.exe (PID: 2748)
  • INFO

    • Drop XMRig executable file

      • DOC001.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:52:12+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 308224
UninitializedDataSize: 8192
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:52:12
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:52:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005C4C
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4388
.rdata
0x00007000
0x0000129C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
0x00009000
0x00048C58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.79628
.ndata
0x00052000
0x00040000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00092000
0x0000F160
0x0000F200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.88476

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20956
716
UNKNOWN
English - United States
RT_MANIFEST
2
3.95465
9640
UNKNOWN
English - United States
RT_ICON
3
4.44806
4264
UNKNOWN
English - United States
RT_ICON
4
4.74717
3752
UNKNOWN
English - United States
RT_ICON
5
5.41664
2216
UNKNOWN
English - United States
RT_ICON
6
2.9738
1640
UNKNOWN
English - United States
RT_ICON
7
3.83015
1384
UNKNOWN
English - United States
RT_ICON
8
5.32149
1128
UNKNOWN
English - United States
RT_ICON
9
3.26704
744
UNKNOWN
English - United States
RT_ICON
10
3.05995
296
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
29
Malicious processes
11
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start trojan3.exe doc001.exe java.exe java1.exe jar2.exe ns81e5.tmp no specs cmd.exe no specs ns82d1.tmp no specs cmd.exe ns83cc.tmp no specs cmd.exe no specs taskkill.exe no specs #HILOTI dhelper.exe doc001.exe java.exe no specs #ARKEI java12.exe schtasks.exe no specs jar2.exe cmd.exe no specs ns9251.tmp no specs ntvdm.exe no specs cmd.exe no specs ns933c.tmp no specs cmd.exe no specs ns9418.tmp no specs cmd.exe no specs taskkill.exe no specs #HILOTI dhelper.exe lsm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\AppData\Local\Temp\trojan3.exe" C:\Users\admin\AppData\Local\Temp\trojan3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
2544"C:\Users\admin\AppData\Roaming\Temp\DOC001.exe" C:\Users\admin\AppData\Roaming\Temp\DOC001.exe
trojan3.exe
User:
admin
Integrity Level:
MEDIUM
2276"C:\Users\admin\AppData\Local\Temp\java.exe" -pJavajre_set7zC:\Users\admin\AppData\Local\Temp\java.exe
DOC001.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3440"C:\Users\admin\AppData\Local\Temp\java1.exe" -pJavajre_set8zC:\Users\admin\AppData\Local\Temp\java1.exe
DOC001.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
2876"C:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exe" C:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exe
java.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660"C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns81E5.tmp" cmd /C copy /b %temp%\Javatemp\ini.jwd C:\Users\admin\AppData\Roaming\cppredistx86.exeC:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns81E5.tmpjar2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3372cmd /C copy /b %temp%\Javatemp\ini.jwd C:\Users\admin\AppData\Roaming\cppredistx86.exeC:\Windows\system32\cmd.exens81E5.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3924"C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmp" cmd /C copy /b %temp%\Javatemp\jare.7z1 + %temp%\Javatemp\temps.7z1 C:\Users\admin\AppData\Roaming\dhelper.exeC:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmpjar2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2720cmd /C copy /b %temp%\Javatemp\jare.7z1 + %temp%\Javatemp\temps.7z1 C:\Users\admin\AppData\Roaming\dhelper.exeC:\Windows\system32\cmd.exe
ns82D1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3384"C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmp" cmd /C taskkill /f /im dhelper.exe & start C:\Users\admin\AppData\Roaming\dhelper.exeC:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmpjar2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 057
Read events
2 961
Write events
0
Delete events
0

Modification events

No data
Executable files
24
Suspicious files
1
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2276java.exeC:\Users\admin\AppData\Local\Temp\Javatemp\ini.jwd
MD5:
SHA256:
2876jar2.exeC:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmp
MD5:
SHA256:
2876jar2.exeC:\Users\admin\AppData\Local\Temp\nsl81D4.tmp
MD5:
SHA256:
2276java.exeC:\Users\admin\AppData\Local\Temp\Javatemp\jare.7z1executable
MD5:14EC03D49A0457377CD2B4F3A707D6EB
SHA256:353B4F2D3680385C364B5B7777704DDC2A126653D34BC1FCD52884F9F49A79F7
2276java.exeC:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exeexecutable
MD5:E6C0BBD63D7A40F9548AA4CF00F04AE7
SHA256:C0540983C65310C18C1070E9BA1B874307AA667147F382BF047A1E810E840CC3
2544DOC001.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\java[1].datexecutable
MD5:C5535409ED97CB0C483CD7C31CDF973D
SHA256:59044DDB0176647230470A213AD97F4385AE92D527D7A12F2F107BDC74C6BA06
2544DOC001.exeC:\Users\admin\AppData\Roaming\Temp\NsCpuCNMiner32.exeexecutable
MD5:3AFEB8E9AF02A33FF71BF2F6751CAE3A
SHA256:A0EBA3FDA0D7B22A5D694105EC700DF7C7012DDC4AE611C3071EF858E2C69F08
2876jar2.exeC:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmpexecutable
MD5:37707A29BD8EFBEB912019737BB2B584
SHA256:4751809EF6FD3CED738392E7C5DF6D4E3938D85711DAA0B52B045B5092913C27
2544DOC001.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnklnk
MD5:0F7C6ED7B648CEB4DFFA52C5C6F91C8C
SHA256:EC7119553E26460F0E3BDF9150B01D77FC0FD1EFD72772C653CB24ED391DE641
2544DOC001.exeC:\Users\admin\AppData\Local\Temp\java.exeexecutable
MD5:C5535409ED97CB0C483CD7C31CDF973D
SHA256:59044DDB0176647230470A213AD97F4385AE92D527D7A12F2F107BDC74C6BA06
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2544
DOC001.exe
GET
200
195.208.1.107:80
http://rucop.ru/java.dat
RU
executable
2.04 Mb
malicious
3952
DOC001.exe
GET
200
195.208.1.107:80
http://kriso.ru/java12.dat
RU
executable
200 Kb
malicious
3396
java12.exe
POST
301
88.99.66.31:80
http://2no.co/1ajz97
DE
html
178 b
whitelisted
2544
DOC001.exe
GET
200
195.208.1.107:80
http://kriso.ru/java1.dat
RU
executable
1009 Kb
malicious
3396
java12.exe
POST
405
195.208.1.107:80
http://ioad.pw/ioad.exe
RU
html
182 b
malicious
2480
dhelper.exe
GET
404
208.100.26.251:80
http://ce893c41a8.pw/index.php?a=1&h=0b76&b=1&p=d1&i=1BD7E3DD0BC6CDDD439E939EB6623F0D
US
html
580 b
malicious
2280
dhelper.exe
GET
404
208.100.26.251:80
http://ce893c41a8.pw/index.php?a=1&h=0b76&b=1&p=d1&i=ACF1D54C4360908F83CB0B6A710C9862
US
html
580 b
malicious
2280
dhelper.exe
GET
404
208.100.26.251:80
http://6ae79845b2.pw/index.php?a=1&h=4f2f&b=1&p=d1&i=ACF1D54C4360908F83CB0B6A710C9862
US
html
580 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3396
java12.exe
88.99.66.31:80
2no.co
Hetzner Online GmbH
DE
malicious
3396
java12.exe
88.99.66.31:443
2no.co
Hetzner Online GmbH
DE
malicious
2544
DOC001.exe
195.208.1.107:80
rucop.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
suspicious
2480
dhelper.exe
208.100.26.251:80
ce893c41a8.pw
Steadfast
US
suspicious
3396
java12.exe
195.208.1.107:80
rucop.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
suspicious
3952
DOC001.exe
195.208.1.107:80
rucop.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
suspicious
2280
dhelper.exe
208.100.26.251:80
ce893c41a8.pw
Steadfast
US
suspicious

DNS requests

Domain
IP
Reputation
rucop.ru
  • 195.208.1.107
malicious
kriso.ru
  • 195.208.1.107
malicious
ce893c41a8.pw
  • 208.100.26.251
malicious
2no.co
  • 88.99.66.31
whitelisted
ioad.pw
  • 195.208.1.107
malicious
6ae79845b2.pw
  • 208.100.26.251
malicious
fa41b00ded.pw
unknown
cfa7fed9a2.pw
unknown
7bedab72f1.pw
unknown
fe32f3c117.pw
unknown

Threats

PID
Process
Class
Message
2544
DOC001.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
2544
DOC001.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
2544
DOC001.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2544
DOC001.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
2544
DOC001.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
2544
DOC001.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3952
DOC001.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3952
DOC001.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3952
DOC001.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
5 ETPRO signatures available at the full report
No debug info